On 10/19/2012 03:46 PM, Rob Crittenden wrote: > Petr Spacek wrote: >> On 10/19/2012 03:10 PM, Rob Crittenden wrote: >>> Petr Spacek wrote: >>>> On 10/19/2012 10:10 AM, Martin Kosek wrote: >>>>> On 10/18/2012 09:42 PM, Rob Crittenden wrote: >>>>>> We were seeing a unicode failure when trying to request a certificate >>>>>> with >>>>>> subject alt names. This one-liner should fix it. >>>>>> >>>>>> rob >>>>>> >>>>> >>>>> Yup, this fixes it, works fine on --selfsign IPA CA too. >>>>> >>>>> Just when testing your patch, I found out we don't treat some non-DNS >>>>> subject >>>>> alternative name well, e.g. email extension, an we try to match it >>>>> with our hosts: >>>>> >>>>> Certificate Request: >>>>> ... >>>>> Attributes: >>>>> Requested Extensions: >>>>> X509v3 Subject Alternative Name: >>>>> email:f...@testcert.example.com, DNS:web.example.com >>>>> ... >>>>> >>>>> cert-request result: >>>>> >>>>> ipa: ERROR: no host record for subject alt name >>>>> f...@testcert.example.com in >>>>> certificate request >>>> >>>> IMHO there should be a --force option. SAN can contain a lot of >>>> different things. Also, we can't assume that we manage the whole world >>>> ... (now :-)) >>>> >>> >>> The intention was just to provide support for DNS alt names. I don't >>> think >>> requiring a host entry exist for any alt hosts is asking too much. >>> >>> I think a new ticket should be opened to support non-DNS alt names. >> >> IMHO SAN names usually contain a lot of "virtual" names like >> www.shop1.com, ftp.shop1.com, etc. >> >> These names are usually CNAMEs to "real" name like srv1.shop1.com. In >> that case host object doesn't make sense. (But SAN is required for >> proper certificate validation.) > > The purpose is so we more tightly control was certificates are issued by our > CA > because we automatically issue them. > > rob
I opened a ticket for better Subject Alternative Name check: https://fedorahosted.org/freeipa/ticket/3196 ACK for patch 1066. Pushed to master, ipa-3-0. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
